← Back to Explore
sublimehighRule
Attachment: DocX embedded binary
This rule is designed to detect sophisticated phishing attacks that deliver binary payloads through MS office open XML files. It identifies malicious documents containing embedded scripts or objects, either encoded in base64 or using specific JavaScript functions like createObjectURL or msSaveOrOpenBlob, which are indicative of attempts to download and execute a binary payload.
Detection Query
type.inbound
and any(attachments,
(
.file_extension in~ $file_extensions_macros
or .file_extension in~ $file_extensions_common_archives
or .content_type == "application/zip"
or (
.file_extension is null
and .file_type == "unknown"
and .content_type == "application/octet-stream"
and .size < 100000000
)
)
and any(file.explode(.),
.file_extension in~ (
"doc",
"docm",
"docx",
"dot",
"dotm",
"xls",
"xlsx",
"xlsm",
"xlm",
"xlsb",
"xlt",
"xltm",
"ppt",
"pptx",
"pptm",
"ppsm"
)
and (
any(.flavors.yara, . == "base64_pe")
// The malicious file to be downloaded and run with the data URI may not always be portable executable
or any(.scan.strings.strings,
strings.ilike(., "*.createObjectURL(*)*")
)
or any(.scan.strings.strings,
strings.ilike(., "*.msSaveOrOpenBlob(*)*")
)
)
)
)
Author
Unknown
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Tags
Attack surface reduction
Raw Content
name: "Attachment: DocX embedded binary"
description: "This rule is designed to detect sophisticated phishing attacks that deliver binary payloads through MS office open XML files. It identifies malicious documents containing embedded scripts or objects, either encoded in base64 or using specific JavaScript functions like createObjectURL or msSaveOrOpenBlob, which are indicative of attempts to download and execute a binary payload."
references:
- "https://www.ired.team/offensive-security/initial-access/phishing-with-ms-office/phishing-replacing-embedded-video-with-bogus-payload"
type: "rule"
authors:
- linkedin: "linkedin.com/in/mehmet-yener-güler-28487621b"
severity: "high"
source: |
type.inbound
and any(attachments,
(
.file_extension in~ $file_extensions_macros
or .file_extension in~ $file_extensions_common_archives
or .content_type == "application/zip"
or (
.file_extension is null
and .file_type == "unknown"
and .content_type == "application/octet-stream"
and .size < 100000000
)
)
and any(file.explode(.),
.file_extension in~ (
"doc",
"docm",
"docx",
"dot",
"dotm",
"xls",
"xlsx",
"xlsm",
"xlm",
"xlsb",
"xlt",
"xltm",
"ppt",
"pptx",
"pptm",
"ppsm"
)
and (
any(.flavors.yara, . == "base64_pe")
// The malicious file to be downloaded and run with the data URI may not always be portable executable
or any(.scan.strings.strings,
strings.ilike(., "*.createObjectURL(*)*")
)
or any(.scan.strings.strings,
strings.ilike(., "*.msSaveOrOpenBlob(*)*")
)
)
)
)
tags:
- "Attack surface reduction"
attack_types:
- "Malware/Ransomware"
tactics_and_techniques:
- "Evasion"
detection_methods:
- "Archive analysis"
- "Content analysis"
- "YARA"
id: "feff0241-0990-5a22-ba90-a53d4021797c"